The ciphertext refers to a customer master key that does not exist,

I have a lambda which accesses the S3.

Before, this lambda program worked well. But recently I changed KMS key of S3 or some other security group setting, (lambda source code doesn’t change)

There comes error.

I guess this lambda and S3 is not on VPC so security group is not relevant.

then,,, is it related with KMS key ????

S3 is encrypted bf3cf318-1376-44de-a014-XXXXXXXXX, so I must give the kms access permission to this lambda ?? but how?

Or am I completely wrong??

[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
Traceback (most recent call last):
  File "/var/task/app.py", line 48, in handler
    raise e
  File "/var/task/app.py", line 45, in handler
    obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
  File "/var/runtime/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)
[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. Traceback (most recent call last):   File "/var/task/app.py", line 48, in handler     raise e   File "/var/task/app.py", line 45, in handler     obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)

The source code error occurs is here.

    try:
        logger.info(f"Try to get the object from bucket [{bucket_name}], key [{obj_key}]")
        obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
    except Exception as e:
        logger.exception(e)
        raise e

Adding this pollicy lambda role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:*:678100228133:key/*"
        }
    ]
}

the message is changed

[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::678100228133:assumed-role/cm-dev-resource-ResizerLambdaServiceRoleAE27CE82-1WN6YXPJAJDCX/cm-dev-lambda-resizer is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:ap-northeast-1:678100228133:key/e08d0542-a4ba-42e7-9725-106a48fd24c2 because no identity-based policy allows the kms:GenerateDataKey action
Traceback (most recent call last):
  File "/var/task/app.py", line 82, in handler
    s3_client.put_object(Bucket=out_bk_name, Key=key, Body=data, ContentType=content_type)
  File "/var/runtime/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)
[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::678100228133:assumed-role/cm-dev-resource-ResizerLambdaServiceRoleAE27CE82-1WN6YXPJAJDCX/cm-dev-lambda-resizer is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:ap-northeast-1:678100228133:key/e08d0542-a4ba-42e7-9725-106a48fd24c2 because no identity-based policy allows the kms:GenerateDataKey action Traceback (most recent call last):   File "/var/task/app.py", line 82, in handler     s3_client.put_object(Bucket=out_bk_name, Key=key, Body=data, ContentType=content_type)   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)

>Solution :

See the part of the error message in bold:

[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

And your question:

so I must give the kms access permission to this lambda

It appears that you have not provided KMS permission in the IAM role assigned to the Lambda function.

KMS keys also have an access policy that may be blocking Lambda access. If fixing the Lambda function’s IAM role doesn’t resolve this issue then I would look at that.

Leave a Reply